We want to provide a cluster for our customers with pre-installed applications and therefore want to give the customer all rights except on the namespaces provided by us and the system namespaces, such as "kube-system", so that they cannot see the sensitive informations in secrets or break anything there. We have already tested with OPA, but unfortunately you can't intercept GET requests there, which means the secrets would still be viewable. It also doesn't work with RBAC because you can't deny access to a particular namespace there.
Is there a way to achieve this?
Thanks and best regards
Vedat
I solved the problem by giving the user a ClusterRole that only has permissions on namespaces and a ClusterRole that has permissions on everything. I bound the ClusterRole for the namespace with a ClusterRoleBinding and the other ClusterRole with a RoleBinding. So that the user also has permissions on the namespaces he dynamically creates he needs a RoleBinding on the ClusterRole that is allowed to do everything.
To do this automatically, I use the tool Argo-Events, which triggers a RoleBinding deployment on a namespace creation event. And with OPA I prevent that the user can change or delete namespaces.